Advocates Want FCC to Address Car Hacking Threat

The burgeoning Internet of Things has brought with it a slew of new devices. The automobile industry is among those poised to be a key player in this world, with technology that could enable vehicles to communicate with one another and infrastructure such as smart traffic lights.

But those developments bring with them added vulnerabilities for carmakers. Hackers could exploit vehicles’ use of airwaves to steal personal information or even take control of driving functions. Those worries have prompted advocacy groups and some Senate Democrats to call on the Federal Communications Commission to issue rules requiring automakers to bolster cybersecurity and privacy protections for consumers.

The rulemaking process will take a step forward Wednesday, the deadline for comments on a petition filed in June with the FCC requesting that the agency draft rules for the privacy and cybersecurity practices of automobile and tech companies that use the Direct Short Range Communication service. Responses to those comments are due on Sept. 8.

DSRC spectrum are the bands of airwaves the auto industry hopes to use for vehicle-to-vehicle communication and that will permit cars to communicate with traffic lights and other transportation infrastructure.

Harold Feld, senior vice president at Public Knowledge, one of the two groups that filed the rulemaking petition, says automakers aren’t yet in a position to deploy the communications technologies that will enable vehicles to connect to traffic light systems or make payments at gas stations.

“You have to have a cybersecurity plan in place,” Feld said. “You have to explain to us how you’re going to handle vulnerabilities.”

Public Knowledge filed the petition with the New America Foundation’s Open Technology Institute. Those two groups joined 16 other organizations in writing a letter Wednesday to the FCC urging Chairman Tom Wheeler to grant the petition.

“Without Commission action on the petition, DSRC licensees are free to partner with any commercial data broker, advertiser or any other third party with virtually no notice to consumers and no need to obtain consumer permission — or even provide consumers with a means of opting out of these commercial arrangements,” the groups wrote.

Representatives of the Electronic Frontier Foundation, the Electronic Privacy Information Center and Consumer Watchdog were among the signatories.

The groups also argue that the bands of spectrum of significance shouldn’t go towards insecure communication technology when those airwaves are allocated by the FCC for “the protection of life and safety,” such as public safety messages.

Audi said earlier this month that this fall, it will become the first car company with models that can connect to traffic lights in select U.S. cities. Those vehicles will display a dashboard countdown for how long before a stoplight turns from red to green.

Audi will use LTE connections, instead of DSRC spectrum, to link its cars to the systems controlling traffic lights.

Other applications could see individuals using their cars to pay for gas at stations and food or drinks at drive-thrus.

The petition seeks to ensure that companies take the appropriate steps to protect consumers’ personal information, especially sensitive financial data that vehicles would have to store to make electronic payments.

Public Knowledge and the Open Technology Institution are also asking the FCC to prevent carmakers from rolling out the technology until the security problem is solved.

The automobile industry certainly has improvements to make on cybersecurity systems, but people associated with the sector also say carmakers already are working hard to accomplish that goal. “If you don’t have a secure, safe car, you’re not going to sell that car,” Mike Overly, a partner at Foley & Lardner LLP who works in tech and information security law, said in an interview. “No automotive company wants to see a vehicle that’s the subject of a serious hack.”

Overly has worked with automotive companies both as a lawyer and an engineer. He was an engineer at ZF TRW, an automotive safety systems developer, before he went to law school.

“I’d say absolutely, positively that this has become Job One, that car companies understand very well the complexity of the systems that they are creating,” Overly said, adding that carmakers have been working for some time to bolster information security for a wireless-connected car.

Overly agrees that the industry needs cybersecurity and privacy standards, but he says it could be an industry-led set of guidelines if one is not created by the FCC or the Commerce Department’s National Institute of Standards and Technology. He is not overtly opposed to a government-created standard, but he is less worried than privacy advocates about the industry’s ability to protect its customers.

Overly added that a “security rating” could become part of the process of buying a car in the same vein buyers now check a vehicle’s fuel rating.

This is an issue that worries many federal bureaucrats and lawmakers. Federal Bureau of Investigation, the Department of Transportation, and the National Highway Traffic Safety Administration put out a joint Public Service announcement in March warning the public and the automobile industry of cybersecurity vulnerabilities that exist in cars today and in the future.

The PSA noted that a vehicle’s susceptibilities may lie in its wireless communications functions, for example in a mobile device connected to the car through Bluetooth, a USB or Wi-Fi. Third-party devices connected to the car can also cause vulnerabilities, the agencies said.

“In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle,” the announcement said.

In July 2015, two hackers showed WIRED how they could remotely access a Jeep Cherokee’s systems to manipulate the air conditioning and radio settings, as well as cut the transmission entirely while the reporter was on the highway. Later that month, Fiat-Chrysler formally recalled 1.4 million of their cars that could have been affected by the vulnerability.

Earlier this month, the two hackers showed newer tricks at the Black Hat hacker conference. The pair could breach the systems of the same Jeep model to accelerate, turn the steering wheel and slam on the brakes at higher speeds, according to NBC News. The only difference was that the first demonstration had been conducted remotely and in the most recent demo, the hackers plugged the laptop directly into the Jeep’s network just under its dashboard.

Democratic Sens. Richard Blumenthal of Connecticut and Ed Markey of Massachusetts have also pressured the FCC to take steps to ensure vehicle cybersecurity. Earlier this month, the fellow Senate Commerce Committee members wrote to FCC Chairman Tom Wheeler pressing the agency to use its power to place “robust cybersecurity and privacy provisions” on entities using DSRC spectrum.

That letter asked for a response from Wheeler by Aug. 25. An FCC spokeswoman said she was unaware of a reply from Wheeler.

Markey and Blumenthal have pressed for such protections for some time. Markey introduced S.1806 in July 2015 with Blumenthal. The measure would direct the National Highway Traffic Safety Administration to draft cybersecurity rules to ensure that vehicles made for sale in the U.S. will protect electronic control mechanisms and driving data.

Markey released a report in February 2015 that detailed the growing threat hackers posed to cars with wireless technologies. The report said almost 100 percent of vehicles on the market were equipped with wireless technologies that “could pose vulnerabilities to hacking or privacy intrusions” and that most carmakers were “unaware of or unable to report on past hacking incidents.”

Vehicle-to-vehicle technology isn’t just a commodity seeking to tap into the convenience of the app economy. It’s also set to play a big role in the future of safety through features such as collision avoidance.

These applications would use the cars’ connectivity to help avoid crashes at intersections and on highways, as well as issuing warnings at highway-railway crossings and work zones. Another feature could enable drivers to receive warnings of curves in a road along with the suggested speed at which they proceed.

Officials at the California Department of Transportation (also known as Caltrans) filed comments Friday with the FCC in opposition to rules touting those potential uses of DSRC airwaves, saying they are “extremely concerned” that imposing any regulations could delay life-saving technology.

The state transportation agency said that the technology “holds the promise” of preventing and softening “many” of the thousands of fatal collisions on U.S. highways annually as well as highway workers.

Caltrans says more than 20,000 highway workers are killed or injured at work each year. “DSRC will provide the means to help reduce the number of highway worker injuries,” Caltrans said in its comments. “DSRC will also aid emergency personnel responding to incidents, including: fires, police and medical emergencies, and other events.”